Method, Apparatus, Computer Program and Data Carrier for Determining a Shared Secret Cryptographic Key

ABSTRACT

A system and method for determining a secret crypto-graphic key shared between a sending unit and a receiving unit for secure communication includes obtaining, by the sending unit, a random bit sequence, and transmitting, at the sending unit, a first sequence of electromagnetic pulses to the receiving unit via a communication channel, wherein each electro-magnetic pulse of the first sequence of electromagnetic pulses corresponds to a bit of the random bit sequence according to a ciphering protocol, the signal loss is determined in the communication channel caused by an eavesdropper, and an information advantage is estimated over the eavesdropper based on the determined signal loss. Privacy amplification is performed based on the estimated information advantage in order to establish a shared secret crypto-graphic key.

TECHNICAL FIELD

The disclosure relates to a method, apparatus, computer program and datacarrier for determining a secret cryptographic key shared between asending unit and a receiving unit for secure communication.

BACKGROUND

The field of quantum communications promises means for a truly secureexchange of information between a sender and a receiver by exploitingthe peculiar properties of quantum mechanics that manifest, e.g., inHeisenberg's uncertainty principle and the non-cloning theorem. Forexample, if a true quantum state is transmitted from a sender (Alice) toa receiver (Bob) via a quantum channel, an eavesdropper (Eve) attemptingto measure a small part of the signal associated with said quantum statewould gain only little information, because quantum fluctuations wouldlargely dominate the small signal attainable by the eavesdropper. Thus,a one shot measurement performed by the eavesdropper could not yield anymeaningful results and the communication between the sender and thereceiver may be considered as fully secure.

Therefore, various quantum key distribution schemes rely on opticalattenuators or high-quality single photon sources exhibiting strongoptical nonlinearities, high-precision photon counting detectors as wellas extremely low-loss transmission lines in order to ensure that quantumstates exhibiting large quantum fluctuations can be generated andtransmitted with minimal intrinsic losses.

However, aside from the complexity of the required quantum hardware, thelow key exchange rate permitted by state of the art photon detectors aswell as the limited range of quantum communications due to dissipationand decoherence severely limit the practical applicability of thoseschemes. In addition, some backdoors in quantum communications, e.g., bydeliberately attacking sensitive hardware components and therebycreating information-leaking side channels, have been discovered andprovide severe security risks.

OVERVIEW OF THE DISCLOSURE

It is an objective of the present disclosure to overcome suchlimitations and provide a simple and practical method, apparatus,computer program and data carrier for determining and distributing asecret cryptographic key enabling secure communications with a high keyexchange rate.

This objective is achieved by the method, apparatus, computer programand data carrier as set forth in claims 1, 11, 14 and 15. Advantageousdevelopments and embodiments are described in the dependent claims.

The disclosure relates to a method for determining a secretcryptographic key shared between a sending unit and a receiving unit forsecure communication. The method comprises the following steps:

A first step comprises obtaining, by the sending unit, a random bitsequence.

A second step comprises transmitting, at the sending unit, a firstsequence of electromagnetic pulses to the receiving unit via acommunication channel. Thereby, each electromagnetic pulse of the firstsequence of electromagnetic pulses corresponds to a bit of the randombit sequence according to a ciphering protocol.

A third step comprises receiving, at the receiving unit, a secondsequence of electromagnetic pulses corresponding to the transmittedfirst sequence of electromagnetic pulses, and deciphering the secondsequence of electromagnetic pulses based on the ciphering protocol.

A fourth step comprises applying information reconciliation based on thereceived second sequence of electromagnetic pulses in order to establisha shared bit sequence.

A fifth step comprises determining a signal loss in the communicationchannel caused by an eavesdropper.

A sixth step comprises estimating an information advantage over theeavesdropper based on the determined signal loss.

A seventh step comprises performing privacy amplification based on theshared bit sequence and the estimated information advantage in order toestablish a shared secret cryptographic key.

With the proposed method a secret cryptographic key may be determinedand distributed between the sending unit and the receiving unit with ahigh level of security and efficiency. The proposed scheme may permit toutilize quantum fluctuations without the need for employing strongattenuators, single photon sources and/or single photon detectors. Inparticular, by encoding/ciphering a random bit sequence into a firstsequence of electromagnetic pulses according to a ciphering protocol, aparticular robust and flexible encoding scheme may be realized. Thereby,the first sequence of electromagnetic pulses may be transmitted over alossy communication channel while ensuring a robust detection andreliable decoding/deciphering at the receiving side even in the presenceof dissipation and decoherence.

By performing information reconciliation based on the received secondsequence of electromagnetic pulses, any inconclusive results may bediscarded and the error rate of deciphering may be considerably reduced.Moreover, by determining signal loss in the communication channel causedby a potential eavesdropper, estimating the information advantage overthe eavesdropper and using said estimation result in a privacyamplification scheme may permit to reduce and even eradicate theinformation of the eavesdropper, thereby ensuring the secrecy of theestablished shared cryptographic key at a high key exchange rate.

Preferably, the second step is carried out after the first step iscarried out, the third step is carried out after the second step iscarried out, the fourth step is carried out after the third step iscarried out, and/or the seventh step is carried out after the fourthstep is carried out. Optionally, the fifth step is carried out after thefourth step is carried out and/or the sixth step is carried out afterthe fifth step is carried out.

However, at least some steps may be carried out in a different order.Exemplarily, the fifth step and/or the sixth step may also be carriedout before the first step is carried out and/or before the second stepis carried out and/or before the third step is carried out and/or beforethe fourth step is carried out.

In addition, the method may comprise an initial step of obtaining, bythe sending unit and/or the receiving unit, the ciphering protocol. Theinitial step may also comprise determining, by the sending unit, aciphering protocol and/or transmitting, by the sending unit, a/theciphering protocol to the receiving unit, e.g., by using anauthenticated public classical channel or the communication channel. Theinitial step may be carried out before the first step or before thesecond step is carried out.

Optionally, when the fifth step and/or the sixth step are carried outbefore the second step is carried out, the estimating of the informationadvantage may comprise optimizing the information advantage for thedetermined signal loss caused by an eavesdropper as a function of atleast one ciphering parameter, and determining the ciphering protocolaccording to the optimization result in order to ensure a maximalinformation advantage over the eavesdropper. The optimizing of theinformation advantage may be achieved by analytical or numerical means.For example, the information advantage may be calculated using Shannoninformation theory. More specifically, the information advantage may beexpressed in terms of the signal loss caused by an eavesdropper, atleast one ciphering parameter and/or the intrinsic signal loss of thecommunication channel. The intrinsic signal loss of the communicationchannel may be predetermined and/or measured together with the signalloss caused by an eavesdropper, as will be explained further below.

The at least one ciphering parameter may correspond to the degree ofindistinguishability between a first quantum state and a second quantumstate. The first quantum state and the second quantum state may be usedin the ciphering protocol in order to distinguish between a bit with abit value 0 and a bit with a bit value 1. The first quantum state may beassigned according to the ciphering protocol to a bit of the random bitsequence with bit value 0 and the second quantum state may be assignedaccording to the ciphering protocol to a bit of the random bit sequencewith bit value 1.

More specifically, the ciphering protocol may comprise an assignmentrule. The assignment rule may comprise assigning bit values to quantumstates and/or electromagnetic pulses. Preferably, the ciphering protocolcomprises a binary encoding scheme, wherein each electromagnetic pulseof the first sequence corresponds to a bit of the random bit sequence.According to the assignment rule, a first electromagnetic pulse and/orthe first quantum state may be assigned to a bit value 0, and a secondelectromagnetic pulse and/or the second quantum state may be assigned toa bit value 1. More specifically, according to the ciphering protocol afirst electromagnetic pulse of the first sequence may correspond to thefirst quantum state and may be assigned to a bit of the random bitsequence with a bit value 0. A second electromagnetic pulse of the firstsequence may correspond to the second quantum state and may be assignedto a bit of the random bit sequence with the bit value 1. Thus, thefirst sequence of electromagnetic pulses may comprise only firstelectromagnetic pulses and second electromagnetic pulses.

The ciphering protocol may also comprise ciphering mode information,wherein according to the ciphering mode information the ciphering modeis intensity ciphering or phase ciphering.

If the ciphering mode is intensity ciphering, the average photon numberof the first electromagnetic pulse and/or first quantum state may bedifferent from the average photon number of the second electromagneticpulse and/or second quantum state. The phase of the firstelectromagnetic pulse and/or the first quantum state and the phase ofthe second electromagnetic pulse and/or the second quantum state may beidentical.

If the ciphering mode is phase-ciphering, the phase of the firstelectromagnetic pulse and/or the first quantum state may be differentfrom the phase of the second electromagnetic pulse and/or the secondquantum state. The average photon number of the first electromagneticpulse and/or first quantum state and the average photon number of thesecond electromagnetic pulse and/or second quantum state may beidentical.

Preferably, the first quantum state and the second quantum state arecoherent states. In the following, the first quantum state may also becalled the first coherent state, and the second quantum state may alsobe called the second coherent state. Most preferably, the first coherentstate and the second coherent state are quasi-classical coherent states.Correspondingly, the electromagnetic pulses of the first sequence ofelectromagnetic pulses and/or the electromagnetic pulses of the secondsequence of electromagnetic pulses may be coherent electromagneticpulses, preferably quasi-classical coherent electromagnetic pulses.

Alternatively, the electromagnetic pulses of the first sequence and/orthe second sequence and/or the first quantum state and/or the secondquantum state may also correspond to the/a squeezed state(s) or the/aFock state(s).

Exemplary, the average photon number of the first quantum state and/orthe second quantum state may be greater than 1. The average photonnumber of the first quantum state and/or the second quantum state may besmaller than 10,000.

The proposed method for determining a secret cryptographic key sharedbetween a sending unit and a receiving unit may be used for securecommunications over short as well as long distances. Optionally, thephotons of the first electromagnetic pulse(s) and the photons of thesecond electromagnetic pulse(s) may be microwave photons, terahertzphotons or optical photons. In case of microwave photons, long distancecommunications may refer to in the range of several meters or severalkilometers. In case of terahertz or optical photons, long distancecommunications may refer to communications over several hundred orseveral thousand kilometres.

In particular, when the first electromagnetic pulse and the secondelectromagnetic pulse correspond to quasi-classical coherent states, thepart of the signal that an eavesdropper can seize from the transmittedfirst sequence of electromagnetic pulses may still exhibit large quantumfluctuations since the number of photons of the transmittedelectromagnetic pulses may still be sufficiently small. Therefore, theeavesdropper may not be able to efficiently amplify said small part ofthe signal and gain only little information about the random bitsequence.

The degree of indistinguishability of the first quantum state and thesecond quantum state may be defined as the absolute value of the overlapmatrix element of the first quantum state and the second quantum state.

When the degree of indistinguishability is small, the first quantumstate and the second quantum state may be almost orthogonal andperfectly distinguishable. Therefore, in order to reduce the error rateof deciphering at the receiving unit it may be advantageous if thedegree of indistinguishability of the first quantum state and the secondquantum state is small and/or decreased. The degree ofindistinguishability may be smaller than 1.

On the other hand, if the degree of indistinguishability between thefirst quantum state and the second quantum state is too small, theeavesdropper may be able to efficiently amplify even a small part of thesignal. Preferably, the degree of indistinguishability is larger than 0.

Moreover, the information advantage over the eavesdropper determines thekey generation rate/speed. Both parameters depend sensitively on thedegree of indistinguishability between the first quantum state and thesecond quantum state of the ciphering protocol. It may thus beadvantageous to determine an optimal degree of indistinguishability byfirst optimizing the information advantage over the eavesdropper asdescribed further above and determining the ciphering protocol, i.e.,the first quantum state and the second quantum state, such that theirdegree of indistinguishability corresponds to the optimal value.

Optionally, the second step comprises amplifying the transmitted firstsequence of electromagnetic pulses in or along the communication channeland/or at the receiving unit. Optionally, the amplifying of thetransmitted first sequence of electromagnetic pulses may be carried outat regular distances along the communication channel, e.g., every 50 kmor 100 km. The usage of in-line amplifiers may permit to compensatesignal loss in the communication channel and achieve long distancecommunication at comparably low cost.

The third step may comprise measuring the intensities and/or the phasesof the second sequence of electromagnetic pulses, e.g., by using ahomodyne detector, a heterodyne detector, a photon counting detector ora combination thereof. For example, if phase-ciphering is employedaccording to the ciphering protocol, the third step may comprisemeasuring the phases of the electromagnetic pulses of the secondsequence. If intensity-ciphering is employed according to the cipheringprotocol, the third step may comprise measuring the intensities of theelectromagnetic pulses of the second sequence.

The third step may comprise deciphering, at the receiving unit, thesecond sequence of electromagnetic pulses in order to obtain anapproximate result for the random bit sequence. The approximate resultfor the random bit sequence obtained from deciphering the secondsequence of electromagnetic pulses may not be exactly identical to therandom bit sequence obtained by the sending unit by using a randomnumber generator.

For example, if the first quantum state and the second quantum state arenot orthogonal, the deciphering of the second sequence ofelectromagnetic pulses may lead to inconclusive results, whereinaccording to a measured phase or intensity of an electromagnetic pulseof the received second sequence, the respective electromagnetic pulsecannot unambiguously be identified with a bit value 0 or a bit value 1.The inconclusive results, i.e., the corresponding bits, may be discardedby performing information reconciliation in the fourth step describedfurther below.

Optionally, the third step may also comprise measuring both quantities,i.e., phase and intensity, of the electromagnetic pulses of the secondsequence.

For example, if the ciphering protocol comprises intensity-ciphering theintensities of the received electromagnetic pulses may be measured inorder to decipher the second sequence of electromagnetic pulses. Inaddition, their phases may be measured in order to determine thecomplex-valued amplitude of the received electromagnetic pulses, and themethod may use this information when determining the information gainobtained over the eavesdropper in the sixth step.

The fourth step, i.e., information reconciliation, may be carried out inorder to discard inconclusive results of the deciphering of the secondsequence of electromagnetic pulses. For that purpose, the fourth stepmay comprise announcing, by the receiving unit, the inconclusive resultsusing an authenticated public classical channel.

Optionally, the fourth step may comprise sending feedback informationfrom the receiving unit to the sending unit using an authenticatedpublic classical channel, wherein the feedback information may includeinformation about inconclusive results obtained from the deciphering ofthe second sequence of electromagnetic pulses. The inconclusive resultsmay then be discarded by the sending unit and the receiving unit inorder to establish a shared bit sequence, i.e., a bit sequence sharedbetween the sending unit and the receiving unit. Thus, the shared bitsequence may be shorter than the random bit sequence obtained by thesending unit in the first step.

In case an eavesdropper seizes part of the signal associated with thetransmitted first sequence of electromagnetic pulses, the shared bitsequence established in the fourth step may not be fully secure.Therefore, the signal loss of the communication channel caused by aneavesdropper may be determined in the fifth step and used in the sixthstep when estimating the information advantage over the eavesdropper.The estimated information advantage over the eavesdropper may then beused in the seventh step in order to establish the shared secretcryptographic key using privacy amplification.

The determining of the signal loss in the communication channel causedby an eavesdropper may comprise transmitting at least one randomizedelectromagnetic test pulse from the sending unit to the receiving unitvia the communication channel. At the receiving unit the at least onerandomized electromagnetic test pulse may be detected and its phaseand/or intensity may be measured. The at least one randomizedelectromagnetic test pulse may correspond to a high-intensity coherentstate. A high-intensity coherent state may comprise an average photonnumber that is greater than 10,000, preferably greater than 100,000.

The signal loss in the communication channel caused by an eavesdroppermay then be determined from the at least one randomized electromagnetictest pulse received at the receiving unit. For example, the sending unitmay send test pulse information about the at least one randomizedelectromagnetic test pulse to the receiving unit, e.g., via anauthenticated public classical channel.

Exemplarily, the test pulse information may comprise information aboutthe transmit time, intensity, phase, duration and/or shape of the atleast one electromagnetic test pulse. Exemplarily, the phase and/orintensity of the at least one transmitted randomized electromagnetictest pulse may be measured at the receiving unit and compared with thephase and/or intensity of the at least one electromagnetic test pulsesent by the sending unit in order to determine the signal loss in thecommunication channel caused by an eavesdropper.

Preferably, the test pulse information is sent to the receiving unitafter the at least one randomized electromagnetic test pulse has beenreceived by the receiving unit. In this way, an eavesdropper attemptingto seize information about the at least one randomized electromagnetictest pulse may be forced to first measure the at least one randomizedelectromagnetic test pulse and subsequently reproduce it, therebyprolonging the transmission. The corresponding abnormal delay may bedetected by the receiving unit. In that case, the transmitting of atleast one randomized electromagnetic test pulse may be repeated until noabnormal delay is detected at the receiving unit. This may ensure thatthe at least one randomized electromagnetic test pulse is not corruptedor measured by the eavesdropper.

By comparing the test pulse information with the at least oneelectromagnetic test pulse received at the receiving unit, a totalsignal loss may be determined. If the communication channel is ideal,i.e., no intrinsic signal loss occurs in or along the communicationchannel in the absence of an eavesdropper, the total signal loss maycorrespond to the signal loss caused by an eavesdropper. If thecommunication channel is not ideal, i.e., intrinsic signal loss occursin or along the communication channel even in the absence of aneavesdropper, the signal loss caused by an eavesdropper may bedetermined from the measured total signal loss and the intrinsic signalloss. The intrinsic signal loss may be predetermined, e.g., measured inadvance or calculated/estimated based on a theoretical model of thecommunication channel.

The at least one randomized electromagnetic test pulse may be ahigh-intensity coherent electromagnetic pulse. Preferably, the at leastone randomized electromagnetic test pulse comprises at least 10⁴photons. The at least one randomized electromagnetic test pulse may alsocomprise more than 10⁵ photons.

The at least one randomized electromagnetic test pulse may comprise arandom pulse intensity and/or a random pulse phase and/or a random pulseduration and/or a random pulse shape.

Alternatively or additionally, the signal loss in the communicationchannel caused by an eavesdropper may be determined from a sequence ofrandomized electromagnetic test pulses received at the receiving unit.The sequence of randomized electromagnetic test pulses may correspond tomultiple randomized electromagnetic test pulses. More specifically, thesending unit may generate or obtain an auxiliary random bit sequence andencode the auxiliary random bit sequence into the sequence of randomizedelectromagnetic test pulses, wherein each electromagnetic test pulse ofthe sequence of randomized electromagnetic test pulses corresponds to abit of the auxiliary random bit sequence according to an auxiliaryciphering protocol.

More specifically, the auxiliary ciphering protocol may comprise anassignment rule. According to the assignment rule of the auxiliaryciphering protocol a first electromagnetic test pulse corresponding to afirst classical state may be assigned to a bit value 0, and a secondelectromagnetic test pulse corresponding to a second classical state maybe assigned to a bit value 1. The ciphering mode of the auxiliaryciphering protocol may be phase-ciphering or intensity-ciphering. Theauxiliary ciphering protocol may be sent from the sending unit to thereceiving unit after the receiving unit has received the sequence ofrandomized electromagnetic test pulses.

Preferably, the intrinsic loss of the communication channel in theabsence of an eavesdropper is also determined, predetermined and/orestimated.

Optionally, the communication channel may be prepared and properlyinstalled such that it exhibits no points of inflections or crudejunctions. In that case the intrinsic signal loss in the communicationchannel may occur solely due to Rayleigh scattering along the wholecommunication channel. Therefore, the eavesdropper may not be able toefficiently exploit the intrinsic signal loss in order to seize part ofthe signal associated with the transmitted first sequence. Instead, theeavesdropper may bend the communication channel near the sending unitand measure the transcending electromagnetic modes.

In particular, if the intrinsic loss in the communication channel, e.g.,due to Rayleigh scattering, is appreciable, the fifth step may alsocomprise determining the intrinsic loss of the communication channel.This may be achieved by transmitting at least one initialelectromagnetic pulse from the sending unit to the receiving unit viathe communication channel, and measuring the at least one transmittedinitial electromagnetic pulse at the receiving unit. Thereby, the atleast one initial electromagnetic pulse may be transmitted on a veryshort time scale before the eavesdropper has a chance to intrude intothe communication channel.

The at least one initial electromagnetic pulse may also correspond to ahigh-intensity coherent state.

The phase and/or intensity of the at least one initial transmittedelectromagnetic pulse may be measured at the receiving unit and comparedwith the phase and/or intensity of the at least one initialelectromagnetic pulse sent by the sending unit in order to determine theintrinsic signal loss in the communication channel. The intrinsic lossmay also be determined, predetermined or estimated using a theoreticalor numerical model of the communication channel and/or using a differentmethod/experiment.

In the sixth step, the information advantage over an eavesdropper may beestimated by using Shannon information theory. Specifically, the sixthstep may comprise estimating the maximum of information obtained by aneavesdropper about the shared bit sequence established in the fourthstep. The maximum of information obtained by an eavesdropper about theshared bit sequence established in the fourth step may be estimatedbased on the degree of indistinguishability of the first quantum stateand the second quantum state, the determined signal loss in thecommunication channel caused by an eavesdropper and/or the intrinsicsignal loss in the communication channel.

The sixth step may also comprise estimating the mutual information ofthe sending unit and the receiving unit based on the degree ofindistinguishability of the first quantum state and the second quantumstate, the determined signal loss in the communication channel caused byan eavesdropper and/or the intrinsic signal loss in the communicationchannel.

The information advantage over an eavesdropper may then be determined orestimated by subtracting the maximum of information gained by theeavesdropper about the shared bit sequence from the mutual informationof the sending unit and the receiving unit.

In this way, the functional dependence of the information advantage overan eavesdropper on the degree of indistinguishability of the firstquantum state and the second quantum state, the determined signal lossin the communication channel caused by an eavesdropper and/or theintrinsic signal loss in the communication channel can be derived andused for the optimization of the information advantage in order todetermine an optimal ciphering protocol as described further above.

In this case, the estimate of the information advantage over aneavesdropper in the sixth step may correspond to the theoretical maximumof the information advantage over an eavesdropper. The functionaldependence of the information advantage over an eavesdropper may bestored electronically in an electronic storage device of the sendingunit and may be represented as a quasi-continuous curve, a discrete setor an algebraic or numerical expression/function.

Optionally, the signal loss in the communication channel caused by aneavesdropper may be determined repeatedly and/or at regular timeintervals and/or before the second step is carried out. Correspondingly,the information advantage over an eavesdropper may be estimated and/orupdated multiple times, e.g., each time the signal loss caused by aneavesdropper is determined.

In an embodiment, the second step, the third step, the fourth step, thefifth step, the sixth step and/or the seventh step may only be carriedout once the estimated information advantage over an eavesdropper islarger than 0 and/or exceeds a predetermined threshold, in order toensure that the key generation rate/speed exceeds a minimalpredetermined value.

The method may also comprise an adaptive ciphering scheme/protocol. Theciphering protocol may be adapted after the fourth step is carried outand/or before the second step is carried out. The adapting of theciphering protocol may comprise repeatedly carrying out at least thesecond step, the third step and the fourth step based on the adaptedciphering protocol in order to increase the length of the shared bitsequence in the fourth step and/or to decrease the error rate ofdeciphering at the receiving unit in the fourth step.

According to the adaptive ciphering scheme/protocol an adapt step may becarried out, e.g., after the fourth and/or fifth step is carried out,wherein the adapt step may comprise adapting the ciphering protocolbased on the signal loss caused by an eavesdropper determined in thefifth step. At least the second step, the third step and the fourth stepmay be repeated based on the adapted ciphering protocol, e.g., beforethe sixth step and the seventh step are carried out. The adaptiveciphering may also comprise repeating the first step and/or the fifthstep.

The ciphering protocol may be adapted by adapting the degree ofindistinguishability of the first quantum state and the second quantumstate, and/or the average photon number of the first quantum stateand/or the average photon number of the second quantum state. Morespecifically, the ciphering protocol may be adapted by decreasing thedegree of indistinguishability of the first quantum state and the secondquantum state if the determined signal loss caused by an eavesdropper isbelow a predetermined threshold, and/or by increasing the degree ofindistinguishability of the first quantum state and the second quantumstate if the determined signal loss caused by an eavesdropper is above apredetermined threshold.

For intensity-ciphering, the degree of indistinguishability may beincreased by decreasing the difference in the average photon number ofthe first quantum state and the second quantum state. The degree ofindistinguishability may be decreased by increasing the difference inthe average photon number of the first quantum state and the secondquantum state.

For phase-ciphering the degree of indistinguishability may be increasedby decreasing the sum of the average photon number of the first quantumstate and the second quantum state. The degree of indistinguishabilitymay be decreased by increasing the sum of the average photon number ofthe first quantum state and the second quantum state.

Alternatively or additionally, the ciphering protocol may also beadapted until or such that a termination condition is fulfilled. Thetermination condition may correspond to the positivity of theinformation advantage over an eavesdropper. In that case, the adapt stepmay also be carried out after the sixth step. The ciphering protocol mayalso be adapted in order to ensure a minimal information advantage overan eavesdropper, and/or a minimal key generation speed/rate.

Optionally, also the fifth step and/or the sixth step may be repeated inorder to examine/check whether the termination condition is fulfilledand/or a minimal information advantage over an eavesdropper and/or aminimal key generation speed/rate is ensured. If this is not the case,the adapting of the ciphering protocol and at least the second step, thethird step and the fourth step and, possibly, also the fifth step andthe sixth step, may be repeated, and the termination condition may beevaluated/checked after each repetition of those steps until thetermination condition is fulfilled. Only then, the seventh step may becarried out.

According to the seventh step, privacy amplification may be performed inorder to reduce or completely eradicate the information of aneavesdropper about the to-be-determined secret cryptographic key. Thismay be achieved by distilling a shared secret cryptographic key from theshared bit sequence established in the fourth step with the help ofone-way public discussion between the sending unit and the receivingunit.

More specifically, the privacy amplification may comprise distillingfrom the shared bit sequence obtained in the fourth step a shared secretcryptographic key with length L_(f)=L ΔI, where L is the length of therandom bit sequence obtained in the first step and ΔI is the informationadvantage over an eavesdropper estimated in the sixth step. This may beachieved by shrinking the shared bit sequence of length L I_(AB)established in the fourth step using a random mapping function g:{0,1}^(LI) ^(AB) →{0,1}^(L) ^(f) , where I_(AB) denotes the mutualinformation between the sending unit and the receiving unit about therandom bit sequence. With this choice, a high key exchange rate/speedL_(f)/L may be achieved. Before determining the length of the sharedsecret cryptographic key in this way, the estimated informationadvantage over an eavesdropper may be rounded to the nearest integer.

The disclosure also relates to an apparatus configured to carry out thesteps of the method as described above.

In particular, the apparatus may comprise at least one sending unit, atleast one receiving unit, and optionally at least one communicationchannel that communicatively connects the at least one sending unit andthe at least one receiving unit.

The at least one sending unit may comprise a first electronic evaluationand control unit.

Optionally, the at least one sending unit comprises a random numbergenerator configured to generate the random bit sequence, and/or anelectromagnetic radiation source configured to generate the firstsequence of electromagnetic pulses and/or at least one randomizedelectromagnetic test pulse and/or at least one initial electromagneticpulse.

Optionally, the random number generator may be a classical random numbergenerator.

Optionally, the electromagnetic radiation source may be a laser, aterahertz radiation source or a microwave radiation source.

The at least one receiving unit may comprise a second electronicevaluation and control unit.

Optionally, the at least one receiving unit may comprise a detector unitconfigured to measure intensities and/or phases of the second sequenceof electromagnetic pulses and/or at least one randomized electromagnetictest pulse and/or at least one initial electromagnetic pulse.

Preferably, the at least one communication channel is a transmissionline or an optical fibre.

Most preferably, the at least one communication channel comprises atleast one or multiple in-line amplifier(s). Multiple in-line amplifiersmay be arranged at regular distances along the communication channel,and may be configured to amplify the transmitted first sequence ofelectromagnetic pulses.

Optionally, the at least one communication channel is configured toexhibit intrinsic signal loss only due to Rayleigh scattering. Theintrinsic loss of the at least one communication channel due toattenuation and/or Rayleigh scattering may exceed 3 dB.

The apparatus may additionally comprise at least one authenticatedpublic classical channel configured to transmit feedback informationfrom the at least one receiving unit to the at least one sending unit,e.g., for performing information reconciliation and/or privacyamplification.

The sending unit may be configured to perform the initial step and/orthe first step and/or the adapt step. The sending unit and thecommunication channel may be configured to perform the second step.

The receiving unit may be configured to perform the third step and thesixth step. The sending unit, the receiving unit and the authenticatedpublic classical channel may be configured to perform the fourth stepand the seventh step. The sending unit, the receiving unit and thecommunication channel may be configured to perform the fifth step.

The first electronic evaluation and control unit and/or the secondelectronic evaluation and control unit may comprise at least onecomputing unit, at least one measurement unit and/or at least oneelectronic storage unit. The at least one computing unit may comprise atleast one of a processor, a CPU (central processing unit), a GPU(graphical processing unit).

The disclosure also relates to a computer program comprisinginstructions which, when the program is executed by a computer, causethe computer to carry out the steps of the method as described above.The computer program (or a sequence of instructions) may use softwaremeans for performing the method for determining a secret cryptographickey shared between a sending unit and a receiving unit for securecommunications when the computer program runs in a computing unit. Thecomputer program can be stored directly in an internal memory, a memoryunit or the data storage unit of the at least one electronic evaluationand control unit.

The disclosure also relates to a computer-readable data carrier havingstored thereon the computer program described above. The computerprogram product can be stored in machine-readable data carriers,preferably digital storage media.

In summary, a simple and practical method, apparatus, computer programand data carrier for determining a secret cryptographic key sharedbetween a sending unit and a receiving unit for secure communicationshas been proposed. The shared secret cryptographic key can be used for awide range of symmetric cryptographic protocols. In particular, with theproposed disclosure key distribution with a high level of security andhigh key exchange rate can be achieved.

BRIEF DESCRIPTION OF THE FIGURES

Exemplary embodiments of the disclosure are illustrated in the drawingsand will now be described with reference to FIGS. 1 to 6.

In the figures:

FIG. 1 shows a schematic flow diagram of an embodiment of the method,

FIG. 2 shows a schematic flow diagram of another embodiment of themethod,

FIG. 3 shows a schematic diagram of an embodiment of the apparatus,

FIG. 4 shows the dependence of the key generation speed on the signalloss caused by an eavesdropper for a predetermined set of cipheringprotocols each comprising a different degree of indistinguishability,

FIG. 5 shows the dependence of the optimal degree ofindistinguishability on the signal loss caused by an eavesdropper andthe intrinsic signal loss, and

FIG. 6 shows the dependence of the key exchange rate on the signal losscaused by an eavesdropper and the intrinsic signal loss.

DETAILED DESCRIPTION

FIG. 1 shows a schematic flow diagram of an embodiment of the method fordetermining a secret cryptographic key shared between a sending unit 1and a receiving unit 2 for secure communication. The method comprises afirst step S1, a second step S2, a third step S3, a fourth step S4, afifth step S5, a sixth step S6 and a seventh step S7 carried outconsecutively.

The first step S1 comprises obtaining, by the sending unit 1, a randombit sequence R of length L by using a classical random number generator.In an alternative embodiment, the random bit sequence R of length L mayalso be predetermined and electronically stored at the sending unit 1.

The second step S2 comprises transmitting, at the sending unit 1, afirst sequence of coherent electromagnetic pulses 1.1 to the receivingunit 2 via a communication channel 3. Thereby, each coherentelectromagnetic pulse 1.1 of the first sequence of coherentelectromagnetic pulses 1.1 corresponds to a bit of the random bitsequence R according to a ciphering protocol CP1, CP2, CP3, CP4.

Specifically, the first sequence of coherent electromagnetic pulses 1.1is generated by using a laser source. According to the cipheringprotocol CP1, CP2, CP3, CP4, the first sequence comprises multiple firstcoherent electromagnetic pulses and multiple second coherentelectromagnetic pulses, wherein each first coherent electromagneticpulse of the first sequence corresponds to a first coherent state |α₀<and is assigned to a bit of the random bit sequence R with a bit value0. Each second coherent electromagnetic pulse of the first sequencecorresponds to a second coherent state |α₁< and is assigned to a bit ofthe random bit sequence R with the bit value 1. Consequently, eachcoherent electromagnetic pulse 1.1 in the first sequence of coherentelectromagnetic pulses 1.1 corresponds to a bit of the random bitsequence R.

More specifically, the ciphering protocol CP1, CP2, CP3, CP4 comprisesan assignment rule and ciphering mode information. According to theciphering mode information, intensity-ciphering is specified as aciphering mode. According to the assignment rule, a first coherent state|α₀

with the complex-valued coherent state amplitude α₀ is assigned to a bitwith a bit value 0, and a second coherent state |α₁

with the complex-valued coherent state amplitude α₁ is assigned to a bitwith a bit value 1. The average photon number

n₀

=|α₀|² of the first coherent state |α₀

is different from the average photon number

n₁

=|α₁|² of the second coherent state |α₁

. The phases of the first coherent state |α₀

and the second coherent state |α₁

are chosen identically. The degree of indistinguishability of the firstcoherent state |α₁

and the second coherent state |α₁

is given by the absolute value 0 f the overlap matrix element of thefirst coherent state |α₀

and the second coherent state |α₁

, i.e., for intensity-ciphering

|

α₀|α₁

|=exp(−[√{square root over (

n ₁

)}−√{square root over (

n ₀

)}]²/2)≠1.  (1)

According to the present embodiment, the average photon numbers

n_(j)

(j=0,1) are predetermined. Exemplarily, the average photon number of thefirst coherent state is

n₀

=1000 and the average photon number of the second coherent state is

n₁

=1077 in order to realize a degree of indistinguishability of |

α|α₁

|≈0.5. In an alternative embodiment, the average photon numbers (n₁)(j=0,1) may also be chosen from the result of an optimization in orderto ensure an optimized and increased information advantage over aneavesdropper 4 and a maximal key generation rate as discussed furtherbelow.

In another embodiment, the ciphering mode can be phase-ciphering. Inthis case, the phases of the first coherent state |α₀

and the second coherent state |α₁

differ by a phase difference ϕ and the respective average photon numbersare identical

n

=

n₀

=

n₁

. The degree of indistinguishability of the first coherent state |α₁

and the second coherent state |α₁

is then given by

|

α₀|α₁

|=exp([cos ϕ−1]

n

)≠1.  (2)

Exemplarily, the average photon number of the first coherent state andthe second coherent state is

n

=10 and the phase difference is ϕ=π. In an alternative embodiment, theaverage photon numbers (n) and the phase difference may also be chosenfrom the result of an optimization in order to ensure an optimized andincreased information advantage over an eavesdropper 4 and a maximal keygeneration rate.

The third step S₃ comprises receiving, at the receiving unit 2, a secondsequence of coherent electromagnetic pulses 2.1 corresponding to thetransmitted first sequence of coherent electromagnetic pulses 1.2. Eachof the received coherent electromagnetic pulses 2.1 corresponds to areceived first coherent state |β_(B)α₀

or a received second coherent state |β_(B)α₁

, where t_(B)=|β_(B)|² denotes the proportion of the correspondingsignal received at the receiving unit 2.

The third step S3 also comprises measuring at least the intensities ofthe received coherent electromagnetic pulses 2.1 using at least oneoptical detector. The third step S3 further comprises deciphering, atthe receiving unit 2, the second sequence of coherent electromagneticpulses 2.1 based on the measured intensities and the ciphering protocolCP1, CP2, CP3, CP4 in order to obtain an approximate result for therandom bit sequence R. The deciphering comprises assigning a bit value 0or a bit value 1 to each of the received coherent electromagnetic pulses2.1.

Since the coherent states |β_(B)α_(j)

(j=0,1) that correspond to the received coherent electromagnetic pulses2.1 are not perfectly orthogonal, some of the received coherentelectromagnetic pulses 2.1 may not unambiguously be deciphered based onthe measured intensities and the ciphering protocol CP1, CP2, CP3, CP4.Therefore, the fourth step S4 comprises performing unambiguous quantumstate discrimination. Specifically, the fourth step S4 comprisesshortening the approximate result for the random bit sequence R obtainedfrom deciphering the received second sequence of coherentelectromagnetic pulses 2.1 in the third step S3.

Thereby, any inconclusive results, i.e., bits that correspond toreceived coherent electromagnetic pulses 2.1 for which the measuredintensities can be almost equally attributed to the first coherent state|α₀)

and the second coherent state |α₁

are discarded. For that purpose, the receiving unit 2 announces thecorresponding bits to the sending unit 1 via an authenticated publicclassical channel. The bits corresponding to the inconclusive resultsare then discarded by the sending unit 1 and the receiving unit 2, i.e.,a shared bit sequence is obtained by the sending unit 1 and thereceiving unit 1. The length of the shared bit sequence is L I_(AB),where I_(AB) denotes the mutual information of the sending unit and thereceiving unit (per 1 bit of a bit sequence) estimated as

I _(AB)=1−|

α₀|α₁

|^(t) ^(B) .  (3)

The shared bit sequence established in the fourth step S₄ may not befully secure. An eavesdropper 4 can meddle into the communicationchannel 3 near the sending unit 1, e.g., by bending the communicationchannel 3 and measuring the transcending optical modes 4.1 correspondingto the coherent states |β_(E)α_(j)

. Thus, the signal loss caused by an eavesdropper 4 or, equivalently,the proportion of power intercepted by an eavesdropper 4 isr_(E)=|β_(E)|². Since the first and second coherent states |α_(j)

are quasi-classical, the eavesdropper 4 is limited to measuring aquantum number of photons corresponding to the states |β_(E)α_(j)

. Thus, contrary to the receiving unit 2, the eavesdropper 4 is not ableto efficiently amplify the seized signal corresponding to the coherentstates |β_(E)α_(j)

. Moreover, due to the coherent state properties of the seized signal,the following relation holds, i.e.,

β_(E)α₀|β_(E)α₁

=|

α₀|α₁

|^(r) ^(E) .  (4)

Consequently, for small signal loss r_(E) caused by an eavesdropper 4the states |β_(E)α_(j)

are substantially non-orthogonal, and the eavesdropper 4 may notunambiguously decipher the seized signal. However, the informationgained by the eavesdropper 4 may still render the shared bit sequenceestablished in the fourth step not completely secure. Therefore, it isuseful to determine the signal loss β_(E) in the communication channel 3caused by an eavesdropper 4 and estimate the information advantage ΔIover an eavesdropper 4.

The fifth step S5 comprises determining the signal loss r_(E) in thecommunication channel 3 caused by an eavesdropper 4. For that purpose,first the intrinsic signal loss r₀ of the communication channel 3 thatis not caused by an eavesdropper 4 is determined in the fifth step S₅.This is achieved by transmitting an initial coherent electromagneticpulse from the sending unit 1 to the receiving unit 2 via thecommunication channel 3 on a very short time scale, i.e., before aneavesdropper 4 has a chance to intrude into the communication channel 3.The initial coherent electromagnetic pulse corresponds to a classicalhigh intensity coherent state with an average photon number of 100,000.The intensity of the transmitted initial coherent electromagnetic pulseis measured at the receiving unit 2, and the intrinsic signal loss r₀ isobtained from the measured intensity. In an alternative embodiment, theintrinsic signal loss r₀ may also be pre-determined and estimated from atheoretical model of the communication channel 3.

The signal loss r_(E) in the communication channel 3 caused by aneavesdropper 4 is determined by transmitting randomized coherentelectromagnetic test pulses from the sending unit 1 to the receivingunit 2 via the communication channel 3 at regular time intervals. Eachrandomized coherent electromagnetic test pulse corresponds to a highintensity coherent state with an average photon number of 10,000. Theintensities of the transmitted randomized coherent electromagnetic testpulses are measured at the receiving unit 2 and compared with theintensities of the randomized coherent electromagnetic test pulses sentby the sending unit 1, e.g., via an authenticated classical publicchannel 5, in order to determine the total signal loss r_(t). The signalloss r_(E) in the communication channel 3 caused by an eavesdropper 4 isthen obtained by subtracting the intrinsic signal loss r₀ from the totalsignal loss r_(t), i.e., r_(E)=(r_(t)−r₀)/(1−r₀).

The sixth step S6 comprises estimating an information advantage ΔI overan eavesdropper 4 based on the determined signal loss r_(E) in thecommunication channel 3 caused by an eavesdropper 4. The informationadvantage ΔI over an eavesdropper 4 is estimated using Shannoninformation theory.

The sixth step S6 comprises estimating the maximum of informationobtained by an eavesdropper about the shared bit sequence established inthe fourth step S₄ according to

max(Ī _(AE))=(1−P _(B))h((1−|

α₀|α₁

|^(r) ^(E) )/2),  (5)

where the function h(p) for a variable p denotes the binary information

h(p)=−p log p−(1−p)log(1−p)  (6)

and

P _(B)=1−I _(AB)=|

α₀|α₁

|^(t) ^(B)   (7)

denotes the probability that a bit is discarded by the sending unit 1and the receiving unit 2 during information reconciliation in the fourthstep S4.

The proportion t_(B) of the signal received at the receiving unit 2 inthe third step S3 is given by

t _(B)=(1−r _(E))(1−r ₀).  (8)

The information advantage ΔI over an eavesdropper 4 is then estimatedaccording to

ΔI=I _(AB)−max(Ī _(AE))  (9)

and is thus expressed in terms of the degree of indistinguishability,the determined signal loss r_(E) caused by an eavesdropper 4 and theintrinsic signal loss r₀, i.e.,

ΔI=[1−|

α₀|α₁

|^((1−r) ^(E) ^()(1−r) ⁰ ⁾][1−h((1−|

α₀|α₁

|^(r) ^(E) /2)].  (10)

In the seventh step S7 privacy amplification is applied to the sharedbit sequence established in the fourth step S4. The privacyamplification is carried out based on the information advantage ΔI overthe eavesdropper 4 estimated in the sixth step S6. In particular, ashared secret cryptographic key is distilled from the shared bitsequence established in the fourth step S4 in order to eradicate theinformation of an eavesdropper 4. The shared secret cryptographic keyhas the length

L _(f) =LΔI,  (11)

where L denotes the length of the random bit sequence R obtained fromthe classical random number generator in the first step S1. Therefore,the key generation rate L_(f)/L=ΔI is determined by the estimate of theinformation advantage ΔI over an eavesdropper 4 established in the sixthstep S6.In order to obtain the secret shared cryptographic key with the lengthL_(f) a key distillation procedure is carried out. For that purpose, theshared bit sequence established in the fourth step S4 is transformedusing a random function g: {0,1}^(LI) ^(AB) →{0,1}^(L) ^(f) and L_(f)bits are extracted from the shared bit sequence as a new bit string.

Since an eavesdropper 4 does not possess any information about the newbit string, the new bit string can be used as a secret cryptographic keyshared between the sending unit 1 and the receiving unit 2 for securecommunications.

Recurring features are provided in the following figures with identicalreference signs as in FIG. 1.

FIG. 2 shows a schematic flow diagram of another embodiment of themethod for determining a secret cryptographic key shared between asending unit 1 and a receiving unit 2 for secure communication.

The embodiment shown in FIG. 2 differs from the embodiment discussedwith respect to FIG. 1 in that the fifth step S5 and the sixth step S6are carried out before the second step S2 is carried out. The estimatingof the information advantage ΔI in the sixth step S6 then comprisesoptimizing the information advantage ΔI for the signal loss r_(E) causedby an eavesdropper 4 and the intrinsic loss r₀ that have both beendetermined in the fifth step S5.

For that purpose the expression for the information advantage ΔI asderived further above is optimized as a function of the degree ofindistinguishability of the first coherent state |α₀

and the second coherent state |α₁

by standard numerical means, wherein the degree of indistinguishabilityrepresents a ciphering parameter. More specifically, the optimal valuefor the degree of indistinguishability is determined, wherein theoptimal value corresponds to the maximal information advantage ΔI overan eavesdropper 4. Results of such an optimization are shown in FIGS. 5and 6.

The optimal value for the degree of indistinguishability is then used todetermine the ciphering protocol CP1, CP2, CP3, CP4 in order to ensure amaximal information advantage ΔI over an eavesdropper 4. Thereby, theaverage photon number

n₀

of the first coherent state |α₀

and the average photon number

n₁

of the second coherent state |α₁

of the ciphering protocol CP1, CP2, CP3, CP4 are chosen such that theirdegree of indistinguishability corresponds to its optimal value. Withthe ciphering protocol CP1, CP2, CP3, CP4 optimized in this way, thesecond step S2 is carried out. Moreover, the maximal value 0 f theinformation advantage ΔI obtained from the optimization is used as anestimate for the information advantage ΔI for privacy amplification, asdescribed in the seventh step S7.

FIG. 3 shows a schematic diagram of an embodiment of the apparatusconfigured to carry out the steps of the method for determining a secretcryptographic key shared between a sending unit 1 and a receiving unit 2for secure communication.

The apparatus comprises one sending unit 1, one receiving unit 2 and atransmission line or optical fibre as a communication channel 3.

The sending unit 1 comprises a first electronic evaluation and controlunit, a classical random number generator and a laser as a coherentelectromagnetic radiation source (not shown). The classical randomnumber generator is configured to generate the random bit sequence R.The laser is configured to generate the first sequence of coherentelectromagnetic pulses 1.1.

An eavesdropper 4 meddles into the communication channel 3 near thesending unit 1. The eavesdropper 4 is configured to seize part of thesignal 4.1 corresponding to the first sequence of coherentelectromagnetic pulses 1.1.

The receiving unit 2 comprises a second electronic evaluation andcontrol unit and an optical detector (not shown). The optical detectoris configured to receive the second sequence of coherent electromagneticpulses 2.1. The apparatus further comprises an authenticated publicclassical channel (not shown).

The sending unit 1 is configured to perform the first step S1. Thesending unit 1 and the communication channel 3 are configured to performthe second step S2. The receiving unit 2 is configured to perform thethird step S3. The sending unit 1, the receiving unit 2 and theauthenticated public classical channel are configured to perform thefourth step S4.

The sending unit 1, the receiving unit 2 and the communication channel 3are configured to perform the fifth step S5. The receiving unit 2 isconfigured to perform the sixth step S6. The sending unit 1, thereceiving unit 2 and the authenticated public classical channel areconfigured to perform the seventh step S7.

FIG. 4 shows the dependence of the key generation speed L_(f) divided bythe random number generation speed L on the signal loss r_(E) caused byan eavesdropper 4 for an intrinsic loss r₀=0.5 and a discretepredetermined set of ciphering protocols CPSET including a firstciphering protocol CP1, a second ciphering protocol CP2, a thirdciphering protocol CP3 and a fourth ciphering protocol CP4. Theciphering protocols CP1, CP2, CP3, CP4 differ by the degree ofindistinguishability of the first coherent state |α₀

and the second coherent state |α₁

. From the discrete set of ciphering protocols CP1, CP2, CP3 and CP4,the third ciphering protocol CP3 ensures the maximal informationadvantage ΔI and maximal key generation speed L_(f)/L for a signal lossr_(E) caused by an eavesdropper 4 smaller than 0.05. It can be derivedfrom FIG. 4 that with increasing signal loss r_(E) the optimal degree ofindistinguishability ensuring a maximal information advantage ΔIincreases while the maximal achievable information advantage ΔIdecreases.

FIG. 5 shows the dependence of the optimal degree ofindistinguishability on the signal loss r_(E) caused by an eavesdropper4 and the intrinsic signal loss r₀. Shown are constant contour lines forthe optimal degree of indistinguishability as a result of theoptimization of the information advantage ΔI as discussed further above.Exemplarily, for a signal loss r_(E)=0.4 caused by an eavesdropper 4 andthe intrinsic signal loss r₀=0.3, the optimal value for the degree ofindistinguishability is |

α₀|α₁

|≈0.4. The first coherent state and the second coherent state of theciphering protocol CP1, CP2, CP3, CP4 are then chosen correspondingly.The results shown in FIG. 5 are thus used to determine the optimalciphering protocol CP1, CP2, CP3, CP4 used in the second step S2.

Correspondingly, FIG. 6 shows the maximal key exchange rate L_(f)/Lcorresponding to the maximal information advantage ΔI and its dependenceon the signal loss r_(E) caused by an eavesdropper 4 and the intrinsicsignal loss r₀. Shown are constant contour lines for the maximal keyexchange rate L_(f)/L corresponding to the maximal information advantageΔI as a result of the optimization of the information advantage ΔI asdiscussed further above.

Exemplarily, for a signal loss r_(E)=0.1 caused by an eavesdropper 4 andthe intrinsic signal loss r₀=0.6 the maximal information advantage isΔI=L_(f)/L≈0.150. The length L_(f) of the shared secure cryptographickey established through privacy amplification in step S7 is then chosencorrespondingly. The results shown in FIG. 6 are thus used to determinethe key exchange rate in the seventh step S7.

Features of the different embodiments which are merely disclosed in theexemplary embodiments as a matter of course can be combined with oneanother and can also be claimed individually.

1. A method for determining a secret cryptographic key shared between asending unit and a receiving unit for secure communication, the methodcomprising: a first step of obtaining, by the sending unit, a random bitsequence R, a second step of transmitting, at the sending unit, a firstsequence of electromagnetic pulses to the receiving unit via acommunication channel, wherein each electromagnetic pulse of the firstsequence of electromagnetic pulses corresponds to a bit of the randombit sequence R according to a ciphering protocol, a third step ofreceiving, at the receiving unit, a second sequence of electromagneticpulses corresponding to the transmitted first sequence ofelectromagnetic pulses, and deciphering the second sequence ofelectromagnetic pulses based on the ciphering protocol, a fourth step ofperforming information reconciliation based on the received secondsequence of electromagnetic pulses in order to establish a shared bitsequence, and a fifth step of determining a signal loss r_(E) in thecommunication channel caused by an eavesdropper, a sixth step ofestimating an information advantage ΔI over the eavesdropper based onthe determined signal loss r_(E), and a seventh step of performingprivacy amplification based on the shared bit sequence and the estimatedinformation advantage ΔI in order to establish a shared secretcryptographic key.
 2. The method according to claim 1, wherein the fifthstep and the sixth step are carried out before the second step iscarried out, and the estimating of the information advantage ΔI in thesixth step comprises optimizing the information advantage ΔI for thesignal loss r_(E) determined in the fifth step as a function of at leastone ciphering parameter, and determining the ciphering protocolaccording to the optimization result in order to ensure a maximalinformation advantage ΔI over the eavesdropper.
 3. The method accordingto claim 2, wherein the at least one ciphering parameter corresponds toa degree of indistinguishability between a first quantum state to beassigned according to the ciphering protocol to a bit of the random bitsequence R with bit value 0 and a second quantum state to be assignedaccording to the ciphering protocol to a bit of the random bit sequenceR with bit value
 1. 4. The method according to claim 1, wherein at leastthe electromagnetic pulses of the first sequence of electromagneticpulses are coherent electromagnetic pulses; and/or the cipheringprotocol comprises an assignment rule, wherein according to theassignment rule a first coherent electromagnetic pulse and/or a firstcoherent state as a first quantum state is assigned to a bit value 0 anda second coherent electromagnetic pulse and/or a second coherent stateas a second quantum state is assigned to a bit value 1; and/or theciphering protocol comprises ciphering mode information, whereinaccording to the ciphering mode information a ciphering mode is anintensity ciphering or a phase ciphering.
 5. The method according toclaim 1, wherein the fourth step comprises sending feedback informationfrom the receiving unit to the sending unit using an authenticatedpublic classical channel, wherein the feedback information includesinformation about inconclusive results obtained from the deciphering ofthe second sequence of electromagnetic pulses at the receiving unit. 6.The method according to claim 1, wherein the determining of the signalloss r_(E) in the communication channel caused by the eavesdroppercomprises transmitting at least one randomized electromagnetic testpulse from the sending unit to the receiving unit via the communicationchannel, and determining the signal loss r_(E) in the communicationchannel caused by the eavesdropper from the at least one randomizedelectromagnetic test pulse detected at the receiving unit.
 7. The methodaccording to claim 6, wherein the at least one randomizedelectromagnetic test pulse is a high-intensity coherent electromagneticpulse.
 8. The method according to claim 6, wherein the at least onerandomized electromagnetic test pulse comprises a random pulse intensityand/or a random pulse phase and/or a random pulse duration and/or arandom pulse shape.
 9. The method according to claim 1, furthercomprising adapting the ciphering protocol after the fourth step iscarried out, and repeatedly carrying out at least the second step, thethird step and the fourth step based on the adapted ciphering protocolin order to increase a length of the shared bit sequence in the fourthstep, and/or to decrease an error rate of deciphering in the fourthstep.
 10. The method according to claim 1, wherein the privacyamplification in the seventh step comprises distilling from the sharedbit sequence obtained in the fourth step a shared secret cryptographickey with length L_(f)=L ΔI, where L is the length of the random bitsequence R and ΔI is the information advantage estimated in the sixthstep.
 11. An apparatus configured to carry out the steps of the methodaccording to claim 1, wherein the apparatus comprises at least onesending unit and at least one receiving unit coupled by at least onecommunication channel.
 12. The apparatus according to claim 11, whereinthe at least one sending unit comprises a random number generatorconfigured to generate the random bit sequence R; and/or the at leastone sending unit comprises an electromagnetic radiation sourceconfigured to generate the first sequence of electromagnetic pulsesand/or at least one randomized electromagnetic test pulse; and/or the atleast one receiving unit comprises a detector unit configured to measureintensities and/or phases of the second sequence of electromagneticpulses and/or of at least one randomized electromagnetic test pulse;and/or the apparatus additionally comprises at least one authenticatedpublic classical channel configured to transmit feedback informationfrom the at least one receiving unit to the at least one sending unitfor information reconciliation and/or privacy amplification.
 13. Theapparatus according to claim 11, wherein the at least one communicationchannel is a transmission line or an optical fibre; and/or the at leastone communication channel comprises in-line amplifiers configured toamplify the transmitted first sequence of electromagnetic pulses in oralong the communication channel; and/or the receiving unit and/or the atleast one communication channel is configured to exhibit intrinsiclosses only due to Rayleigh scattering.
 14. A computer programcomprising instructions which, when the program is executed by acomputer, cause the computer to carry out the steps of the methodaccording to claim
 1. 15. A computer-readable data carrier having storedthereon the computer program of claim 14.